WordPress Plugin User Role Editor is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions by gaining administrator access. WordPress Plugin User Role Editor version 4.24 is vulnerable; prior versions may also be affected. The WordPress User Role Editor plugin prior to Read more…
Plainview Activity Monitor plugin for WordPress could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability using shell metacharacters in the ip parameter to inject and execute arbitrary OS commands on the system. The Plainview Activity Read more…
Restricted shells are conceptually shells with restricted permissions, with features and commands working under a very peculiar environment, built to keep users in a secure and controlled environment, allowing them just the minimum necessary to perform their daily operations. Once hackers get a low privileged shell, even a restricted one, Read more…
Apache James is a mail and news server and software framework written in Java. A bug in version 2.3.2 enables an attacker to execute arbitrary commands on the machine running the server. The vulnerability arises from an insecure default configuration and a lack of input validation in the server’s user Read more…
LXD is a next generation system container manager. It offers a user experience similar to virtual machines but using Linux containers instead. LXD is Ubuntu’s container manager utilizing Linux containers. It could be considered to act in the same sphere as Docker, The lxd group should be considered harmful in Read more…
Shellshock is effectively a Remote Command Execution vulnerability in BASH. The vulnerability relies in the fact that BASH incorrectly executes trailing commands when it imports a function definition stored into an environment variable. A lot of programs like SSH, telnet, CGI scripts allow bash to run in the background allowing Read more…
fcrackzip is a third-party tool for cracking zip files passwords. It tries to brute force using a list of passwords. Installation sudo apt install fcrackzip Before using fcrackzip we need a password protected zip file. zip –password <password><filename.zip> <data> zip –password vk9security new_file.zip data.txt How to use 1. Show help Read more…
The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions for file creation in the upper filesystem directory, which allows local users to obtain root access by leveraging a configuration in which overlayfs is permitted in an arbitrary mount Read more…
This lab is intended to demonstrate how to exploit BoF in Linux. The vulnerable application is Panel which can be downloaded from a VulnHub machine (https://www.vulnhub.com/entry/pinkys-palace-v2,229/). The executable can be found at (https://github.com/vry4n/BoF-Panel-Linux) This application is a custom app that runs on port 31337 & it is vulnerable to Buffer Read more…
Ssh2john is part of John The Reaper suite. This is a script that basically transforms [RSA/DSA/EC/OPENSSH (SSH private keys) ] private key to john format for later cracking using JtR How to 1. Having an RSA private key already cat id_rsa 2. locate the ssh2john script using find find / Read more…
Port Knocking is a method used to secure your port access from unauthorized users. Port Knocking works by Opening ports on a firewall by generating a connection attempt on a set of defined closed/open ports. Once a correct sequence of connection attempts is received, the firewall will open the port Read more…
WPScan is an open source WordPress security scanner. You can use it to scan your WordPress website for known vulnerabilities within the WordPress core, as well as popular WordPress plugins and themes. This tool is available at: https://github.com/wpscanteam/wpscan, this comes installed in most security distributions. How to use 1. Display Read more…
chkrootkit is a tool to locally check for signs of a rootkit (http://www.chkrootkit.org/). It contains: chkrootkit: a shell script that checks system binaries for rootkit modification. ifpromisc.c: checks if the network interface is in promiscuous mode. chklastlog.c: checks for lastlog deletions. chkwtmp.c: checks for wtmp deletions. check_wtmpx.c: checks for wtmpx Read more…
The Network File System (NFS) is a client/server application that lets a computer user view and optionally store and update files on a remote computer as though they were on the user’s own computer. The NFS protocol is one of several distributed file system standards for network-attached storage (NAS). NFS Read more…
FreeBSD could allow a local attacker to gain elevated privileges on the system, caused by insufficient permission checks within the virtual memory system. An attacker could exploit this vulnerability using specific memory mapping and tracing operations to modify portions of the traced process’s address space. The vm_map_lookup function in sys/vm/vm_map.c Read more…
This time we will transfer a file using netcat, we will see examples from machine vk9-sec to lab-kali Bind connection 1. CLIENT: First, we will create a random file echo “Vry4n has been here.” > sample.txt cat sample.txt 2. SERVER: we will open a port in the remote machine waiting Read more…
PhpTax is free software to do your U.S. income taxes. Tested under Unix environment. The program generates .pdfs that can be printed and sent to the IRS. http://sourceforge.net/projects/phptax/ An attacker might write to arbitrary files or inject arbitrary code into a file with this vulnerability. User tainted data is used Read more…
PHP library pChart 2.1.3 (and possibly previous versions) by default contains an examples folder, where the application is vulnerable to Directory Traversal and Cross-Site Scripting (XSS). This has been taken from (https://www.exploit-db.com/exploits/31173) Exploiting Directory Traversal 1. Visiting the application at (http://192.168.0.18/pChart2.1.3/examples/index.php), we get to the examples folder. 2. This tool Read more…
HT is a file editor/viewer/analyzer for executables. The goal is to combine the low-level functionality of a debugger and the usability of IDEs. We plan to implement all (hex-)editing features and support of the most important file formats. Exploit 1. Check what sudo permission the current user has, desired “NOPASSWD” Read more…
Lotus CMS is a content management system built using PHP as a programming language, created by a company called Vipana LLC. This CMS is no longer being developed or maintained by its team, so download the files to set up your own Lotus CMS demo might pose some security issues. Read more…
The incident response process has several phases. The initial phase involves establishing and training an incident response team, and acquiring the necessary tools and resources. Summary of every phase in Incident response life cycle 1. Preparation This phase will be the work horse of your incident response planning, and in Read more…
Incident response is a structured process organizations use to identify and deal with cybersecurity incidents. Response includes several stages, including preparation for incidents, detection and analysis of a security incident, containment, eradication, and full recovery, and post-incident analysis and learning. This post is a shorter summary of NIST official documentation. Read more…
Splunk is a software platform to search, analyze and visualize the machine-generated data gathered from the websites, applications, sensors, devices etc. which make up your IT infrastructure and business. Mainly Splunk does these things: Ingests Data Parses, indexes and stores data Runs searches on index data For more info visit: Read more…
Robtex is a service which gathers public information about IP addresses, domain names, host names, Autonomous systems, and more. How to use 1. Access https://www.robtex.com/dns-lookup and search for the domain 2. In the results we can find Analysis DNS servers Mail servers IP address Quick Info FQDN DNS servers Records Read more…
Find out the infrastructure and technologies used by any site using results from Netcraft The information that netcraft provides includes: Background — This includes basic domain information. Network — This includes information from IP Address to Domain names to nameservers. SSL/TLS — This gives the ssl/tls status of the target Read more…
Information gathering is the first step of Ethical Hacking, where the penetration tester or even hackers gather information on their target victims. To increase your chances of a “successful” hacking, you will need to do a good job and spend time on this stage. There is a couple of information Read more…
NTDS.DIT These hashes are stored in a database file in the domain controller (NTDS.DIT) with some additional information like group memberships and users. The NTDS.DIT file is constantly in use by the operating system and therefore cannot be copied directly to another location for extraction of information. This file can Read more…
Cached domain logon information Windows caches previous users’ logon information locally so that they can log on if a logon server is unavailable during later logon attempts. If a domain controller is unavailable and a user’s logon information is cached, the user will be prompted with a dialog that says: Read more…
In Windows 10 we can also gather credentials. This guide is focused on techniques that work in Windows 10. The attacker need at least an account or shell in the server That user need administrative privileges Having a shell in Meterpreter as an example we can migrate to a process Read more…
This time our target is Windows 7, having a reverse connection and appropriate privileges we can gather hashes, this is part of post exploitation activity. Metasploit Hashdump With hashdump meterpreter command we can extract hashes, we need to first migrate to a system process and then run the command 1. Read more…
This is to demonstrate different techniques to extract Windows users’ password. We need admin privileges to gather this information. Metasploit Hashdump Having a meterpreter session we can execute the command “hashdump” to get the values of all saved passwords of windows users sysinfo hashdump Load Mimikatz (kiwi) Meterpreter load kiwi Read more…
Most of the theory here has been taken from SANS documentation (https://www.sans.org/reading-room/whitepapers/testing/paper/39170) . This is intended to provide a summary about NT hashes and Pass the hash. LM Password Hashes The LAN Manager hash was one of the first password hashing algorithms to be used by Windows operating systems, and Read more…
This time we’ll exploit Minishare 1.4.1. This is a web application that runs on port 80 as HTTP, you can share files and the users can download them from the site. I uploaded the application to GitHub (https://github.com/vry4n/BoF-MiniShare-1.4.1) Lab details Windows XP x86 (192.168.0.5) Immunity debugger MiniShare 1.4.1 Kali (192.168.0.20) Read more…
This lab is intended to demonstrate how to exploit BoF in Windows. The vulnerable application is FreeFloat which can be downloaded from (https://www.exploit-db.com/apps/687ef6f72dcbbf5b2506e80a375377fa-freefloatftpserver.zip). The Freefloat FTP Server has many vulnerable parameters, which can be useful to practice on, and we will choose one of them here to do a full Read more…
Veil is a tool designed to generate metasploit payloads that bypass common anti-virus solutions. Installation 1. Run the commands below and wait for installation to complete sudo apt-get -y install git git clone https://github.com/Veil-Framework/Veil.git cd Veil/ ./config/setup.sh –force –silent 2. Upon completion. You can run the application with the command Read more…
This time we will configure basic AD and DNS functionality. The terms object, organizational unit, domain, tree, and forest are used to describe the way Active Directory organizes its directory data. Like all directories, Active Directory is essentially a database management system. The Active Directory database is where the individual Read more…
curl, short for “Client for URLs”, is a command line tool for transferring data using various protocols. This tool has applications in many household products such as tablets, printers, cars, routers, etc. There is a vast amount of use-cases for curl, such as: FTP upload Proxy support SSL connections HTTP Read more…
PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement. PoshC2 is primarily written in Python3 and follows a modular format to enable users to add their own modules and tools, allowing an extendible and flexible C2 framework. Out-of-the-box PoshC2 comes Read more…
Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) Read more…
Empire 3 is a post-exploitation framework that includes a pure-PowerShell Windows agent, and compatibility with Python 3.x Linux/OS X agents. It is the merger of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and flexible architecture. Documentation GitHub: https://github.com/BC-SECURITY/Empire Client: https://github.com/BC-SECURITY/Starkiller Installation Server 1. Download Read more…
Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. Covenant is an ASP.NET Core, cross-platform application that includes a web-based interface that Read more…
SILENTTRINITY is modern, asynchronous, multiplayer & multiserver C2/post-exploitation framework powered by Python 3 and .NETs DLR. It’s the culmination of an extensive amount of research into using embedded third-party .NET scripting languages to dynamically call .NET API’s, a technique the author coined as BYOI (Bring Your Own Interpreter). The aim Read more…
It allows you to analyze the SSL/TLS configuration of a server by connecting to it, in order to detect various issues (bad certificate, weak cipher suites, Heartbleed, ROBOT, TLS 1.3 support, etc.). It is a Python tool that can analyze the SSL configuration of a server by connecting to it. Read more…
A self-signed certificate is a certificate that is signed by the person creating it rather than a trusted certificate authority. Self-signed certificates can enable the same level of encryption as a $1700 certificate signed by a trusted authority. (Self-signed certificates or certificates issued by a private CAs are not appropriate Read more…
Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix. By default, the tool will only answer to File Server Service request, which is for SMB. An attacker can capture usernames and passwords on a local network by Read more…
Server Message Block (SMB) is a networking file share protocol included in Windows workstation and Windows server that provides the ability to read and write files and perform other service requests to network devices on a share. Windows supports file and printer sharing traffic by using the Server Message Block Read more…
SMTP is an application layer protocol. The client who wants to send the mail opens a TCP connection to the SMTP server and then sends the mail across the connection. The SMTP server is always on listening mode. As soon as it listens for a TCP connection from any client, Read more…
Vulnerabilities in SMB Shares are Medium risk vulnerability that is one of the most frequently found on networks around the world. This issue has been around since at least 1990 but has proven either difficult to detect, difficult to resolve or prone to being overlooked entirely. Things that might be Read more…
FTP is a method to access and share files on the internet. The protocol is a way to communicate between computers on a TCP/IP network, FTP is a TCP based service exclusively and it is a client-server protocol where a client will communicate with a server. “File Transfer Protocol,” can Read more…
This document is intended to help understand what happens by PHP back-end processing of SQL queries, how to test SQL injections and how to secure code. Our goals here are the following Building MySQL database Create a PHP scripts to access & query the database HTML code as front-end Test Read more…
Mail Command Injection is an attack technique used to exploit mail servers and webmail applications that construct IMAP/SMTP statements from user-supplied input that is not properly sanitized. an attack technique that injects attacker-controlled SMTP commands into the data transmitted from an application (typically a web application) to an SMTP server Read more…
bWAPP, or a buggy web application, is a deliberately insecure web application. bWAPP helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux and Windows. https://github.com/jehy-security/bwapp https://sourceforge.net/projects/bwapp/ Installation 1. Download the Read more…
Server-side redirection vulnerabilities arise when an application takes user controllable input and incorporates it into a URL that it retrieves using a backend HTTP request. Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a Read more…
John the Ripper is a fast password cracker, currently available for many flavors of Unix, macOS, Windows, DOS, BeOS, and OpenVMS (the latter requires a contributed patch). Its primary purpose is to detect weak passwords. It is one of the most popular password testing and breaking programs as it combines Read more…
Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, an attacker Read more…
Command injection is one of the top 10 OWASP vulnerability. it’s an attack in which arbitrary commands of a host OS are executed through a vulnerable application. The attack is possible when a web application sends unsafe user data to the system shell function within the running script. This user Read more…
XPath Injection attacks occur when a web site uses user-supplied information to construct an XPath query for XML data XPath is a standard language. When using XML for a web site it is common to accept some form of input on the query string to identify the content to locate Read more…
Mutillidae is a vulnerable framework where you can practice OWASP top 10, https://owasp.org/www-project-top-ten/ Download https://sourceforge.net/projects/mutillidae/ sudo git clone https://github.com/webpwnized/mutillidae.git 1. Install the required repositories (in this case I’m using php 7.3) sudo apt-get install php7.3-curl php7.3-mbstring php7.3-xml Extra Show php version php –version 2. Extract the Mutillidae content in /var/www/html Read more…
BeEF utilizes YAML files in order to configure the core functionality, as well as the extensions. Most of the core BeEF configurations are in the main configuration file: config.yaml, found in the BeEF directory. BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses Read more…
Shodan’s a search engine which helps find systems on the internet. It’s a great resource to provide passive reconnaissance. Some have described Shodan as a search engine for hackers, and have even called it “the world’s most dangerous search engine”. Devices that Shodan can find: Servers Routers Switches Printers on Read more…
Anonsurf uses TOR iptables to anonymize the whole system. Anonsurf gives users the capability of starting or stopping the I2P project. https://github.com/Und3rf10w/kali-anonsurf Installation 1. Download the file from github git clone https://github.com/Und3rf10w/kali-anonsurf.git 2. Run installer located in the download folder kali-anonsurf sudo bash installer.sh 3. Run the application after successful Read more…
The concept of permissions and ownership is crucial in Linux. On a Linux system, each file and directory is assigned access rights for the owner of the file, the members of a group of related users, and everybody else. owner – The Owner permissions apply only the owner of the Read more…
Blind SQL injection arises when an application is vulnerable to SQL injection, but its HTTP responses do not contain the results of the relevant SQL query or the details of any database errors. With blind SQL injection vulnerabilities, many techniques such as UNION attacks are not effective, because they rely Read more…
This has been writen to explain the steps to set a basic insecure SMTP lab. We are using hMailServer to act as a mail server & Thunderbird as mail client. https://www.hmailserver.com/ https://www.thunderbird.net/ Mail Server (hMailServer) 1. Start the wizzard 2. Next, Accept the license 3. Select the install folder, next Read more…
This Guide provides a high view of Windows local management of groups and users Users in windows a user account is a collection of settings used by Windows to understand your preferences. It’s also used to control the files and folders you access, the tasks you are allowed to perform, Read more…
This is a guide written to help administering Users and Groups properly in Linux. User Management useradd useradd is a low level utility for adding a new user or update default new user information When we run ‘useradd‘ command in Linux terminal, it performs following major things: It edits /etc/passwd, Read more…
The Linux terminal has a number of useful commands that can display running processes, kill them, and change their priority level. Parent and Child Processes Each unix process has two ID numbers assigned to it: The Process ID (pid) and the Parent process ID (ppid). Each user process in the Read more…
A picture metadata can change, example dates, if you download a picture directly from a browser. I recommend downloading the content using wget. Download from browser 1. In this case we can see a recent date (File modification date/time) ls -l needle.jpg date exiftool needle.jpg Download using wget 1. In Read more…
I used to play a lot with USB (making bootable images, encrypting, formating, etc). I got to a point where when I format it the space of the USB is lost. This is a tutorial on how to recover that space. This has happened to me when I use the Read more…
Apache is an open-source and free web server software How to use the services (System V) Start /etc/init.d/apache2 start Or sudo service apache2 start View Status service apache2 status Restart the service service apache2 restart Stop the service service apache2 stop service apache2 status Steps for RHEL 4.x/5.x/6.x or older Read more…
Nikto is a web server assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server. This tool is written in Perl language. Open-source web server scanner that examines a website and reports back vulnerabilities. you can use with any Read more…
Crunch is a utility that is used to create wordlists using letters, numbers, and symbols for every possible combination or according to specific rules. Syntax to create the wordlist (lowercase letters, then uppercase letters, then numbers and finally symbols) crunch <min-len> <max-len> [<charset string>] [options] https://sourceforge.net/projects/crunch-wordlist/ How to use 1. Read more…
Cewl is a wordlist generator written in Ruby language, it spiders a given URL to a specified depth. It returns a list of words which can then be used for password crackers such as John the Ripper. https://github.com/digininja/CeWL It comes installed in most security OS How to use 1. Display Read more…
SSH port forwarding is a mechanism in SSH for tunneling application ports from the client machine to the server machine, or vice versa. IT professionals use it for opening backdoors into the internal network from their home machines. If a port is blocked by a Firewall, you can use SSH Read more…
Used to test the quality and security of a Magento site you don’t have access to. This is a scanner for Magento https://github.com/steverobbins/magescan Installation 1. Download it from https://github.com/steverobbins/magescan/releases. (.phar file) 2. Show help -h, –help = Display this help message php magescan.phar –help 3. Display version of the app Read more…
sqlmap is one of the most popular and powerful SQL injection automation tool out there. Given a vulnerable http request URL, sqlmap can exploit the remote database and do a lot of hacking like extracting database names, tables, columns, all the data in the tables etc. It can even read Read more…
Nessus is a remote security scanning tool, which scans a computer and raises an alert if it discovers any vulnerabilities, it uses the Common Vulnerabilities and Exposures architecture for easy cross-linking between compliant security tools. It is a paid tool and requires licenses for extension on the features. However, there Read more…
The HTTP response status code 302 Found is a common way of performing URL redirection. Permanent redirections These redirections are meant to last forever. They imply that the original URL should no longer be used, and replaced with the new one Code Text 301 Moved Permanently 308 Permanent Redirect Temporary Read more…
dirsearch is a simple command line tool designed to brute force directories and files in websites. https://github.com/maurosoria/dirsearch Installation 1. Download the source code git clone https://github.com/maurosoria/dirsearch.git ls cd dirsearch/ ls 2. To execute the program ./dirsearch.py python3 dirsearch.py How to use 1. Display the help menu ./dirsearch.py –help Search -w Read more…
wget is a free utility for non-interactive download of files from the Web. It supports HTTP, HTTPS, and FTP protocols, as well as retrieval through HTTP proxies. If you get access to use with root privileges it can be harmful. sudo -l Hacking steps 1. wget has the capability of Read more…
Finger is primarily used to enumerate user information on the target system. It can also find out detailed information (if exists) such as full name, email address, phone number etc. of all its users. Nmap result finger-user-enum finger-user-enum is a script used to enumerate users https://github.com/pentestmonkey/finger-user-enum Username guessing tool primarily Read more…
xxd creates a hex dump of a given file or standard input. It can also convert a hex dump back to its original binary form. Usage Displaying available options xxd –help man xxd 1. Converting a file to hex cat vk9-file.txt file vk9-file.txt 2. run xxd xxd vk9-file.txt 3. Skipping Read more…
This trick works on any CMS you access. In case, you get the credentials either by brute force, disclosure, etc. This example uses Joomla! CMS Joomla Reverse shell 1. Having access to the account and being able to edit the template Go to Extensions – Templates – Templates 2. Select Read more…
Gobuster is a tool used to brute-force on URLs (directories and files) in websites and DNS subdomains. Gobuster can be downloaded through the apt- repository and thus execute the following command for installing it. https://github.com/OJ/gobuster Gobuster is a tool used to brute-force: URIs (directories and files) in web sites. DNS Read more…
OWASP Joomla! Vulnerability Scanner (JoomScan) is an open source project, developed with the aim of automating the task of vulnerability detection and reliability assurance in Joomla CMS deployments. It not only detects known offensive vulnerabilities, but also is able to detect many misconfigurations and admin-level shortcomings that can be exploited Read more…
This can be used to bypass switchport security mechanisms as an example. Also, it gives us another layer of anonymity. During a pentest you can do this if you get blocked by any security policy based on MAC address just change the MAC address and you’ll get in. Manual way Read more…
Activating Windows 10 license key, this tutorial is intended for lab machines. It is recommended to always buy licenses from vendor. Steps 1. Go to file explorer -> Right Click “This PC”-> Properties 2. At the bottom, we can verify whether Windows has been activated or not “Windows is not Read more…
find searches the directory tree rooted at each given starting-point by evaluating the given expression from left to right. In this article we will explore the most useful commands. Useful commands 1. Basic search of a file named vk9-security.txt, starting at / position find / -name vk9-security.txt 2. The same Read more…
pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. Great for enumeration of Linux systems in CTFs. Also great to demonstrate your colleagues why passing secrets as Read more…
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka Read more…
Laravel is a web application framework with expressive, elegant syntax. https://www.easylaravelbook.com/blog/introducing-the-laravel-5-command-scheduler/ https://laravel.com/docs/5.8/scheduling#scheduling-artisan-commands The Laravel command scheduler allows you to manage your task execution dates and times using easily understandable PHP syntax. You’ll manage the task execution definitions in app/Console/Kernel.php Scheduling Your Command As was perhaps made obvious by the earlier Read more…
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. https://owasp.org/www-community/attacks/Command_Injection The cron daemon is a long-running process that executes commands at specific dates and times. For commands that need to be executed repeatedly (e.g., hourly, daily, Read more…
Magic numbers are the first bits of a file which uniquely identify the type of file. it can be helpful to look for file format signatures and inferring how the application is using them based on these signatures, as well as how these formats may be abused to provoke undefined Read more…
https://wiki.owasp.org/index.php/Testing_for_Local_File_Inclusion The File Inclusion vulnerability allows an attacker to include a file within the system, this happens due to bad handling of user input. Local File Inclusion (also known as LFI) is the process of including files, that are already locally present on the server, the parameter might be able Read more…
This time we will be exploring RFI and read file explorer https://wiki.owasp.org/index.php/Testing_for_Remote_File_Inclusion RFI Remote file inclusion allows an attacker to include file remote (from the web servers point of view) possibly allowing code execution, denial of service, and data disclosure. Since RFI occurs when paths passed to “include” statements are Read more…
This happens when a cyber-criminal controls somebody else’s account by using credentials (session ID, username number, etc.) In this example I will demonstrate this technique using Mutillidae, we’ll create 2 accounts and highjack it. OWASP 2017 – “A5 – Broken Access Control” – Insecure Direct References – Via Account Highjacking Read more…
Log in to DVWA admin/password, Session IDs have 4 levels (low, medium, high, impossible) We will first inspect the low one. So, set the level to low Low This script is very basic and unsecure, due to the session ID is created in plaintext and uses the most common sequences. Read more…
I am writing this based on OWASP and the book “The Web Application Hacker’s Handbook”. https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html Introduction The HTTP protocol is essentially stateless. It is based on a simple request-response model, in which each pair of messages represents an independent transaction. applications use HTTP cookies as the transmission mechanism for Read more…
SDLC – programming securely The Software Development Lifecycle(SDLC) is a systematic process for building software that ensures its quality and correctness. It is a framework that defines tasks performed at each step in the software development process. A formally defined method for software development in the form of the SDLC Read more…
This is a summary of some tips from “The Web Application Hackers Handbook” to test authentication mechanisms as well as recommendations for securing it, it think that book is a great resource for learning web app pentest. Brute-Forcible Login 1. Manually submit several bad login attempts for an account you Read more…